强制性约束下企业信息安全投资与网络保险的最优决策分析

doi:10.16381/j.cnki.issn1003-207x.2019.1057

中国管理科学 ›› 2021, Vol. 29 ›› Issue (6): 70-81.doi: 10.16381/j.cnki.issn1003-207x.2019.1057

强制性约束下企业信息安全投资与网络保险的最优决策分析

董坤祥¹, 谢宗晓², 甄杰³

1. 山东财经大学管理科学与工程学院,山东济南 250014;
2. 中国金融认证中心,北京 100054;
3. 重庆工商大学管理科学与工程学院,重庆 400067

收稿日期:2019-07-19 修回日期:2019-10-12 发布日期:2021-06-29
通讯作者: 谢宗晓(1979-),男(汉族),山东日照人,中国金融认证中心,副研究员,博士,研究方向:金融信息与网络安全管理,E-mail:xiezongxiao@vip.163.com. E-mail:xiezongxiao@vip.163.com
基金资助:
国家社会科学基金资助项目（17CGL019）

Optimal Decision Analysis of Information Security Investment and Cyber Insurance under Mandatory Constraints

DONG Kun-xiang¹, XIE Zong-xiao², ZHEN Jie³

1. School of Management Science and Engineering, Shandong University of Finance and Economics, Jinan 250014, China;
2. China Financial Certification Authority, Beijing 100054, China;
3. School of Management Science and Engineering, Chongqing Technology and Business University, Chongqing 400067, China

Received:2019-07-19 Revised:2019-10-12 Published:2021-06-29

摘要/Abstract

摘要： 研究了强制性约束下企业信息安全投资和网络保险的最优决策问题，对比了可观测企业损失和不可观测企业损失两种情形下基于破产概率约束的最优安全投资和网络保险保费厘定。研究结果表明：在可观测损失和公平保费情况下，当最大化单个企业的期望效用时，存在最优安全投资额，并且政府补贴和强制性约束都可以激励企业增加安全投资；但是当最大化所有企业效用时，只有强制性约束才能增加企业安全投资使得总效用最大化，并且企业的最优安全投资与损失的可观测程度无关。在不可观测损失情况下，当最大化单个企业期望效用时，企业的安全投资增大，而最大化所有企业效用时，存在正网络外部性，即任何企业均不敢轻易的减少安全投资，即使同在一个网络中的其他企业减少了安全投资。此外，在破产概率约束下，随着保费的增加，当损失可观测时，企业的安全投资也增加，但期望效用减少了；而当损失不可观测时，企业的安全投资和期望效用均减少。本文所得结论对政府设定强制性标准，以及企业利用安全投资和网络保险进行信息安全风险控制具有较好的参考价值。

关键词: 信息安全投资, 网络保险, 强制性约束, 可观测损失, 不可观测损失

Abstract: The management and prevention of information security risks have become the most concern for enterprises and government departments. The security investment and cyber insurance are the most efficient tools for firms to reduce the loss of information security risks, which caused by hacker attacks or improper security operations. With the promulgation of Cyberspace Security Law of China and the General Data Protection Regulations of the European Union and other mandatory rules and regulations, the firms' information security investment and security level will be affected by these mandatory constraints.
In this context, the optimal decision problem of information security investment and cyber insurance under mandatory constraints is studied in this paper. And the optimal security investment and cyber insurance premium determination based on bankruptcy probability constraint under observable enterprise loss and unobservable enterprise loss were compared. Research results show that:
(1) In the observed loss and fair premium cases, when to maximize the expected utility of individual enterprises, the optimal security investment was explored, and the optimal values could be improved by the government subsidies and mandatory constraint. But when all enterprises maximize utility, the firms' security investment and her total utility could be increased only by the mandatory constraint. What's more, the optimal security investment has nothing to do with the loss of the observable degree.
(2) In the case of unobservable loss, when the expected utility of a single firm is maximized, the security investment of the firm will be increased; while when the utility of all firms are maximized, any firm cannot easily reduce the security investment, even if other firms reduce the security investment.
(3) Under the constraint of ruin probability and actuarially fair policy, the amount of security investment of the firm would not be affected by the premium formulation. So the security investment, vulnerability level and expected utility of the firm remain unchanged. But as the premium increases, the amount of claims increases continuously. Under the constraint of ruin probability and the ratio of coverage policy, the firm's security investment is increased, but the firm's security investment and expected utility is decreased.
The policy implication of this paper could be applied by firms to control information security risks and guide the investment of information security and cyber insurance. However, the dynamic distribution of information security risk loss and the deductible of insurance are not considered in this research. In future work, the dynamic risk measurement method and CVaR method should be taken into consideration.

Key words: information security investment, cyber insurance, mandatory constraints, observable loss, unobservable loss

中图分类号:

F840.4

董坤祥, 谢宗晓, 甄杰. 强制性约束下企业信息安全投资与网络保险的最优决策分析[J]. 中国管理科学, 2021, 29(6): 70-81.

DONG Kun-xiang, XIE Zong-xiao, ZHEN Jie. Optimal Decision Analysis of Information Security Investment and Cyber Insurance under Mandatory Constraints[J]. Chinese Journal of Management Science, 2021, 29(6): 70-81.

参考文献

[1] Gordon L A, Loeb M P. The economics of information security investment[J]. ACM Transactions on Information and System Security, 2002, 5(4):438-457.
[2] Gordon L A, Loeb M P, Sohail T. A framework for using insurance for cyber-risk management[J]. Communications of the ACM, 2003, 46(3):81-85.
[3] Anderson R, Moore T. The economics of information security[J]. Science, 2006, 314(5799):610-613.
[4] Herath H S B, Herath T C. Investments in information security:A real options perspective with bayesian postaudit[J]. Journal of Management Information Systems, 2008, 25(3):337-375.
[5] Benaroch M. Real options models for proactive uncertainty-reducing mitigations and applications in cybersecurity investment decision making[J]. Information Systems Research, 2018, 29(2):315-340.
[6] Gao Xing, Zhong Weijun. A differential game approach to security investment and information sharing in a competitive environment[J]. IIE Transactions, 2016, 48(6):511-526.
[7] Nagurney A, Daniele P, Shukla S. A supply chain network game theory model of cybersecurity investments with nonlinear budget constraints[J]. Annals of Operations Research, 2017, 248(1-2):405-427.
[8] 吕俊杰, 邱菀华, 王元卓. 基于相互依赖性的信息安全投资博弈[J]. 中国管理科学, 2006, 14(3):7-12. Lyu Junjie, Qiu Wanhua, Wang Yuanzhuo. An analysis of games of information security investment based on interdependent security[J]. Chinese Journal of Management Science, 2006, 14(3):7-12.
[9] Ezhei M, Tork Ladani B. Interdependency analysis in security investment against strategic attacks[J]. Information Systems Frontiers, 2018:1-15.
[10] Hasheminasab S A, Tork Ladani B. Security investment in contagious networks[J]. Risk Analysis, 2018, 38(8):1559-1575.
[11] Marotta A, Martinelli F, Nanni S, et al. Cyber-insurance survey[J]. Computer Science Review, 2017, 24:35-61.
[12] 向尚, 邹凯, 蒋知义,等. 基于随机森林的智慧城市信息安全风险预测[J]. 中国管理科学, 2016, 24(S1):277-281. Xiang Shang, Zou Kai, Jiang Zhiyi, et al. Risk prediction of smart city information security based on random forest[J]. Chinese Journal of Management Science, 2016, 24(S1):277-281.
[13] Eling M, Schnell W. What do we know about cyber risk and cyber risk insurance?[J]. The Journal of Risk Finance, 2016, 17(5):474-491.
[14] Khalili M M, Naghizadeh P, Liu M. Designing cyber insurance policies:The role of pre-screening and security interdependence[J]. IEEE Transactions on Information Forensics and Security, 2018, 13(9):2226-2239.
[15] Vakilinia I, Sengupta S. A coalitional cyber-insurance framework for a common platform[J]. IEEE Transactions on Information Forensics and Security, 2019, 14(6):1526-1538.
[16] 顾建强, 梅姝娥, 仲伟俊. 基于网络安全保险的信息系统安全投资激励机制[J]. 系统工程理论与实践, 2015, 35(4):1057-1062. Gu Jianqiang, Mei Sue, Zhong Weijun. Cyber insurance as an incentive for information system security[J]. Systems Engineering Theory & Practice, 2015, 35(4):1057-1062.
[17] Massacci F, Swierzbinski J, Williams J. Cyberinsurance and public policy:Self-protection and insurance with endogenous adversaries[J]. Paragraph, 2017, 1(2):1-38.
[18] 董坤祥, 谢宗晓, 甄杰,等. 相依风险下保险公司投资信息安全软件的最优决策分析[J]. 保险研究, 2019, 6:66-80. Dong Kunxiang, Xie Zongxiao, Zhen Jie. Optimal decision analysis of insurance company investment information security software under dependent risk[J]. Insurance Studies, 2019, (6):66-80.
[19] Zhao X, Xue L, Whinston A B. Managing interdependent information security risks:Cyberinsurance, managed security services, and risk pooling arrangements[J]. Journal of Management Information Systems, 2013, 30(1):123-152.
[20] Öǧüt H, Raghunathan S, Menon N. Cyber security risk management:Public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection[J]. Risk Analysis:An International Journal, 2011, 31(3):497-512.
[21] Lee C H, Geng X, Raghunathan S. Mandatory standards and organizational information security[J]. Information Systems Research, 2016, 27(1):70-86.
[22] Laube S, B hme R. The economics of mandatory security breach reporting to authorities[J]. Journal of Cybersecurity, 2016, 2(1):29-41.
[23] Woods D, Simpson A. Policy measures and cyber insurance:A framework[J]. Journal of Cyber Policy, 2017, 2(2):209-226.

强制性约束下企业信息安全投资与网络保险的最优决策分析

Optimal Decision Analysis of Information Security Investment and Cyber Insurance under Mandatory Constraints

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 2

Metrics

本文评价

推荐阅读 10

[1]	段白鸽, 张连增. 考虑两类赔款数据相关性的随机性准备金进展法及改进[J]. 中国管理科学, 2014, 22(4): 9-16.
[2]	孙艳, 郭菊娥, 王乐. 基于债务展期的企业融资担保合约博弈分析[J]. 中国管理科学, 2009, 17(3): 159-165.